Bug 2422836 (CVE-2025-68301)

Summary: CVE-2025-68301 kernel: net: atlantic: fix fragment overflow handling in RX path
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
An out-of-bounds write vulnerability was found in the Aquantia Atlantic network driver in the Linux kernel. When receiving packets that span more than MAX_SKB_FRAGS (17) fragments, the driver writes beyond the skb fragment array bounds in skb_add_rx_frag(), causing kernel memory corruption and panic.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-12-16 16:05:24 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net: atlantic: fix fragment overflow handling in RX path

The atlantic driver can receive packets with more than MAX_SKB_FRAGS (17)
fragments when handling large multi-descriptor packets. This causes an
out-of-bounds write in skb_add_rx_frag_netmem() leading to kernel panic.

The issue occurs because the driver doesn't check the total number of
fragments before calling skb_add_rx_frag(). When a packet requires more
than MAX_SKB_FRAGS fragments, the fragment index exceeds the array bounds.

Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE,
then all fragments are accounted for. And reusing the existing check to
prevent the overflow earlier in the code path.

This crash occurred in production with an Aquantia AQC113 10G NIC.

Stack trace from production environment:
```
RIP: 0010:skb_add_rx_frag_netmem+0x29/0xd0
Code: 90 f3 0f 1e fa 0f 1f 44 00 00 48 89 f8 41 89
ca 48 89 d7 48 63 ce 8b 90 c0 00 00 00 48 c1 e1 04 48 01 ca 48 03 90
c8 00 00 00 <48> 89 7a 30 44 89 52 3c 44 89 42 38 40 f6 c7 01 75 74 48
89 fa 83
RSP: 0018:ffffa9bec02a8d50 EFLAGS: 00010287
RAX: ffff925b22e80a00 RBX: ffff925ad38d2700 RCX:
fffffffe0a0c8000
RDX: ffff9258ea95bac0 RSI: ffff925ae0a0c800 RDI:
0000000000037a40
RBP: 0000000000000024 R08: 0000000000000000 R09:
0000000000000021
R10: 0000000000000848 R11: 0000000000000000 R12:
ffffa9bec02a8e24
R13: ffff925ad8615570 R14: 0000000000000000 R15:
ffff925b22e80a00
FS: 0000000000000000(0000)
GS:ffff925e47880000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff9258ea95baf0 CR3: 0000000166022004 CR4:
0000000000f72ef0
PKRU: 55555554
Call Trace:
<IRQ>
aq_ring_rx_clean+0x175/0xe60 [atlantic]
? aq_ring_rx_clean+0x14d/0xe60 [atlantic]
? aq_ring_tx_clean+0xdf/0x190 [atlantic]
? kmem_cache_free+0x348/0x450
? aq_vec_poll+0x81/0x1d0 [atlantic]
? __napi_poll+0x28/0x1c0
? net_rx_action+0x337/0x420
```

Changes in v4:
- Add Fixes: tag to satisfy patch validation requirements.

Changes in v3:
- Fix by assuming there will be an extra frag if buff->len > AQ_CFG_RX_HDR_SIZE,
  then all fragments are accounted for.
Comment 1 Alexander B 2025-12-16 17:32:19 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025121643-CVE-2025-68301-be31@gregkh/T
Comment 4 errata-xmlrpc 2026-01-19 03:08:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:0760 https://access.redhat.com/errata/RHSA-2026:0760
Comment 5 errata-xmlrpc 2026-01-19 03:48:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:0759 https://access.redhat.com/errata/RHSA-2026:0759
Comment 6 errata-xmlrpc 2026-01-26 14:21:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:1143 https://access.redhat.com/errata/RHSA-2026:1143
Comment 7 errata-xmlrpc 2026-02-02 09:50:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:1690 https://access.redhat.com/errata/RHSA-2026:1690
Comment 8 errata-xmlrpc 2026-02-02 11:17:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:1703 https://access.redhat.com/errata/RHSA-2026:1703
Comment 10 errata-xmlrpc 2026-02-02 15:25:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:1727 https://access.redhat.com/errata/RHSA-2026:1727
Comment 12 errata-xmlrpc 2026-02-04 09:03:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:1886 https://access.redhat.com/errata/RHSA-2026:1886
Comment 13 errata-xmlrpc 2026-02-04 15:44:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:1879 https://access.redhat.com/errata/RHSA-2026:1879
Comment 14 errata-xmlrpc 2026-02-04 18:28:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:1909 https://access.redhat.com/errata/RHSA-2026:1909
Comment 15 errata-xmlrpc 2026-02-04 18:51:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:1946 https://access.redhat.com/errata/RHSA-2026:1946
Comment 16 errata-xmlrpc 2026-02-11 00:16:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:2490 https://access.redhat.com/errata/RHSA-2026:2490
Comment 17 errata-xmlrpc 2026-02-11 11:51:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:2535 https://access.redhat.com/errata/RHSA-2026:2535
Comment 18 errata-xmlrpc 2026-02-11 16:30:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:2573 https://access.redhat.com/errata/RHSA-2026:2573
Comment 19 errata-xmlrpc 2026-02-11 17:03:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:2577 https://access.redhat.com/errata/RHSA-2026:2577
Comment 20 errata-xmlrpc 2026-02-12 15:12:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2026:2664 https://access.redhat.com/errata/RHSA-2026:2664